As of PHP 5.1.2, header() can no longer be used to send
multiple response headers in a single call to prevent the
HTTP Response Splitting Attack. header() only checks the
linefeed (LF, 0x0A) as line-end marker, it doesn't check the
carriage-return (CR, 0x0D).

However, some browsers including Google Chrome, IE also
recognize CR as the line-end.

The current specification of header() still has the
vulnerability against the HTTP header splitting attack.

As of PHP 5.1.2, header() can no longer be used to send
multiple response headers in a single call to prevent the
HTTP Response Splitting Attack. header() only checks the
linefeed (LF, 0x0A) as line-end marker, it doesn't check the
carriage-return (CR, 0x0D).

However, some browsers including Google Chrome, IE also
recognize CR as the line-end.

The current specification of header() still has the
vulnerability against the HTTP header splitting attack.